Static analysis at Mozilla

Thu Jun 10 12:57:41 PDT 2010

On Thu, 10 Jun 2010 15:55:18 -0400, Sean Kelly <sean at invisibleduck.org>  
wrote:

> Ali Ã‡ehreli Wrote:
>
>> Sean Kelly wrote:
>>  > bearophile Wrote:
>>  >
>>  >> C++ Static Analysis as done on the large Mozilla codebase:
>>  >> http://blog.ezyang.com/2010/06/static-analysis-mozilla/
>>  >> It shows that it's important to have a more powerful static
>> reflection in D. It works well with scoped user-defined attributes too.
>>  >
>>  > As much as I like static analysis, it still has a long way to go.
>> For example, here's some C code that a static analysis tool recently
>> flagged as broken:
>>  >
>>  >     size_t fn( char** pdst, char* src, size_t srclen ) {
>>  >         __thread static char* dst      = NULL;
>>  >         __thread static size_t dstcap = 0;
>>  >         if( dstcap < srclen ) {
>>  >             dstcap = srclen;
>>  >             dst      = realloc( dst, dstcap );
>>  >         }
>>  >         memcpy( dst, src, srclen ); // Purify: ERROR - uninitialized
>> write
>>  >         *pdst = dst;
>>  >         return srclen;
>>  >     }
>>  >
>>  > Basically, it wasn't smart enough to realize that dst would
>>  > always be non-NULL when the memcpy occurred, let alone that it
>>  > would also always be large enough.  For such false positives,
>>  > it's generally necessary to insert pointless code simply to
>>  > silence the error, thus complicating the function and
>>  > increasing the cost of maintenance.  I still believe that the
>>  > benefits of static analysis vastly outweigh the cost, but I'd
>>  > love to see more intelligence in branch analysis if nothing
>>  > else.
>>
>> realloc may return NULL. Perhaps they are catching that condition?
>
> I suppose so.  Maybe I should change the if statement to a loop and see  
> what happens.

What about if srclen is 0?  Won't memcpy then be passed a null pointer via  
dst?  Does the static analyzer look inside memcpy to see if it uses the  
pointer when the size is 0?

-Steve